[DONT MERGE] Allow Kibana authentication via JWT for the predefined set of routes. #159117
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
azasypkin
force-pushed
the
issue-xxx-jwt-poc
branch
from
bd53102
to
ab9040c
Compare
azasypkin
force-pushed
the
issue-xxx-jwt-poc
branch
from
ab9040c
to
15f21e0
Compare
|
Closing in favor of the issue for the proper implementation #162632 |
3 tasks
azasypkin
added a commit
that referenced
this pull request
Aug 23, 2023
…tes only. (#163806) ## Summary Allow Kibana to restrict the usage of JWT for a predefined set of routes only in Serverless environment by default. This capability is not available in non-Serverless environment. Any route that needs to be accessed in Serverless environemnt using JWT as a means of authentication should include `security:acceptJWT` tag. ## How to test If you'd like to generate your own JWT to test the PR, please follow the steps outlined in #159117 (comment) or just run functional test server and use static JWT from the Serverless test. This PR also generated a Serverless Docker image that you can use in your Dev/QA MKI cluster. - [x] Implementation functionality and add unit tests - [x] Update metrics/status routes to include new `security:acceptJWT` tag - [x] Update serverless test suite to include a test for `security:acceptJWT` __Fixes: https://github.com/elastic/kibana/issues/162632__ --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
azasypkin
added a commit
that referenced
this pull request
Dec 4, 2023
## Summary In this PR we: * Allow using JWT credentials to grant API keys * Extend default value of `elasticsearch.requestHeadersWhitelist` to include both `authorization` and `es-client-authentication` to support JWT with required client authentication _by default_. See https://www.elastic.co/guide/en/elasticsearch/reference/8.11/jwt-auth-realm.html#jwt-realm-configuration * Add API integration tests for both JWTs with client authentication and without it __NOTE:__ We're not gating this functionality with the config flag (`xpack.security.authc.http.jwt.taggedRoutesOnly`) as we did for the Serverless offering. It'd be a breaking change as we already implicitly support JWT authentication without client authentication, and to be honest, it's not really necessary anyway. ## Testing Refer to the `Testing` section in this PR description: #159117. Or run already pre-configured Kibana functional test server: 1. `node scripts/functional_tests_server.js --config x-pack/test/security_api_integration/api_keys.config.ts` 2. Create a role mapping for JWT user: ```bash curl -X POST --location "http://localhost:9220/_security/role_mapping/jwt" \ -H "Authorization: Basic ZWxhc3RpYzpjaGFuZ2VtZQ==" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d "{ \"roles\": [ \"superuser\" ], \"enabled\": true, \"rules\": { \"all\": [{\"field\" : { \"realm.name\" : \"jwt_with_secret\" }}] } }" ``` 3. Send any Kibana API request with the following credentials: ```bash curl -X POST --location "xxxx" -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2tpYmFuYS5lbGFzdGljLmNvL2p3dC8iLCJzdWIiOiJlbGFzdGljLWFnZW50IiwiYXVkIjoiZWxhc3RpY3NlYXJjaCIsIm5hbWUiOiJFbGFzdGljIEFnZW50IiwiaWF0Ijo5NDY2ODQ4MDAsImV4cCI6NDA3MDkwODgwMH0.P7RHKZlLskS5DfVRqoVO4ivoIq9rXl2-GW6hhC9NvTSkwphYivcjpTVcyENZvxTTvJJNqcyx6rF3T-7otTTIHBOZIMhZauc5dob-sqcN_mT2htqm3BpSdlJlz60TBq6diOtlNhV212gQCEJMPZj0MNj7kZRj_GsECrTaU7FU0A3HAzkbdx15vQJMKZiFbbQCVI7-X2J0bZzQKIWfMHD-VgHFwOe6nomT-jbYIXtCBDd6fNj1zTKRl-_uzjVqNK-h8YW1h6tE4xvZmXyHQ1-9yNKZIWC7iEaPkBLaBKQulLU5MvW3AtVDUhzm6--5H1J85JH5QhRrnKYRon7ZW5q1AQ' -H 'ES-Client-Authentication: SharedSecret my_super_secret' ....for example.... curl -X GET --location "http://localhost:5620/internal/security/me" \ -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2tpYmFuYS5lbGFzdGljLmNvL2p3dC8iLCJzdWIiOiJlbGFzdGljLWFnZW50IiwiYXVkIjoiZWxhc3RpY3NlYXJjaCIsIm5hbWUiOiJFbGFzdGljIEFnZW50IiwiaWF0Ijo5NDY2ODQ4MDAsImV4cCI6NDA3MDkwODgwMH0.P7RHKZlLskS5DfVRqoVO4ivoIq9rXl2-GW6hhC9NvTSkwphYivcjpTVcyENZvxTTvJJNqcyx6rF3T-7otTTIHBOZIMhZauc5dob-sqcN_mT2htqm3BpSdlJlz60TBq6diOtlNhV212gQCEJMPZj0MNj7kZRj_GsECrTaU7FU0A3HAzkbdx15vQJMKZiFbbQCVI7-X2J0bZzQKIWfMHD-VgHFwOe6nomT-jbYIXtCBDd6fNj1zTKRl-_uzjVqNK-h8YW1h6tE4xvZmXyHQ1-9yNKZIWC7iEaPkBLaBKQulLU5MvW3AtVDUhzm6--5H1J85JH5QhRrnKYRon7ZW5q1AQ' \ -H 'ES-Client-Authentication: SharedSecret my_super_secret' \ -H "Accept: application/json" ---- { "username": "elastic-agent", "roles": [ "superuser" ], "full_name": null, "email": null, "metadata": { "jwt_claim_sub": "elastic-agent", "jwt_token_type": "access_token", "jwt_claim_iss": "https://kibana.elastic.co/jwt/", "jwt_claim_name": "Elastic Agent", "jwt_claim_aud": [ "elasticsearch" ] }, "enabled": true, "authentication_realm": { "name": "jwt_with_secret", "type": "jwt" }, "lookup_realm": { "name": "jwt_with_secret", "type": "jwt" }, "authentication_type": "realm", "authentication_provider": { "type": "http", "name": "__http__" }, "elastic_cloud_user": false } ``` __Fixes:__ #171522 ---- Release note: The default value of the `elasticsearch.requestHeadersWhitelist` configuration option has been expanded to include the `es-client-authentication` HTTP header, in addition to `authorization`. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
In this PoC, I introduce the conditional
xpack.security.authc.http.jwt.restrictToPathsconfiguration (available only in the serverless context) that restricts usage of the JWT credentials only to a set of pre-configured Kibana paths:Alternatively can move this logic from authentication layer to the authorization layer with something like this:
Testing
Generate keys
NOTE: Test keys mentioned here aren't secret and already publicly exposed.
JWKS (pkc_jwkset_path)
{ "keys": [ { "kty": "RSA", "e": "AQAB", "use": "sig", "n": "v9-88aGdE4E85PuEycxTA6LkM3TBvNScoeP6A-dd0Myo6-LfBlp1r7BPBWmvi_SC6Zam3U1LE3AekDMwqJg304my0pvh8wOwlmRpgKXDXjvj4s59vdeVNhCB9doIthUABd310o9lyb55fWc_qQYE2LK9AyEjicJswafguH6txV4IwSl13ieZAxni0Ca4CwdzXO1Oi34XjHF8F5x_0puTaQzHn5bPG4fiIJN-pwie0Ba4VEDPO5ca4lLXWVi1bn8xMDTAULrBAXJwDaDdS05KMbc4sPlyQPhtY1gcYvUbozUPYxSWwA7fZgFzV_h-uy_oXf1EXttOxSgog1z3cJzf6Q" } ] }Public key
Private key
Generate JWT
{ "alg": "RS256", "typ": "JWT" }{ "iss": "https://kibana.elastic.co/jwt/", "sub": "aleh.zasypkin@elastic.co", "aud": "elasticsearch", "name": "Aleh Zasypkin", "iat": 946684800, "exp": 4070908800 }eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2tpYmFuYS5lbGFzdGljLmNvL2p3dC8iLCJzdWIiOiJhbGVoLnphc3lwa2luQGVsYXN0aWMuY28iLCJhdWQiOiJlbGFzdGljc2VhcmNoIiwibmFtZSI6IkFsZWggWmFzeXBraW4iLCJpYXQiOjk0NjY4NDgwMCwiZXhwIjo0MDcwOTA4ODAwfQ.LBwLDK4CCYHjtmWZ_J0IwKP6BQjH-8LbKUu1Obj2bUAtZcGVrnO_pY1JXCG582BLegq8_RrlxZ0C8GKN-kvuFt7okPEkMqfT6yCi_gt271Xzlbe01IT6DX5WRm7nT6mjNI4USndemquxl0NxHCm07azKD4MUsYIlgp_YW14ZKmHn4fJW0qgDgt4CeRkLQm5QE--rZ7VnlOFvaAsIlC7bLHHvhj_ntMSraFJEXc1JE7va8QX_D6cXpHbszGjnm9G928gJ24XVjUqXuR23yDNcc6socTPbq8WO9tj67cknCZG1An1wtefDOOKiqMKhrHPvBz9eT1CnOm57l63K8LvulQRun ES
$ yarn es snapshot --license trial \ -E xpack.security.authc.token.enabled=true \ -E xpack.security.authc.realms.native.native1.order=0 \ -E xpack.security.authc.realms.jwt.jwt1.order=1 \ -E xpack.security.authc.realms.jwt.jwt1.token_type=access_token \ -E xpack.security.authc.realms.jwt.jwt1.client_authentication.type=shared_secret \ -E xpack.security.authc.realms.jwt.jwt1.client_authentication.shared_secret=my_super_secret \ -E xpack.security.authc.realms.jwt.jwt1.allowed_issuer=https://kibana.elastic.co/jwt/ \ -E xpack.security.authc.realms.jwt.jwt1.allowed_subjects=aleh.zasypkin@elastic.co \ -E xpack.security.authc.realms.jwt.jwt1.allowed_audiences=elasticsearch \ -E xpack.security.authc.realms.jwt.jwt1.allowed_signature_algorithms=[RS256] \ -E xpack.security.authc.realms.jwt.jwt1.claims.principal=sub \ -E xpack.security.authc.realms.jwt.jwt1.pkc_jwkset_path=/.../jwks.jsonRun Kibana
yarn start --serverless \ --elasticsearch.requestHeadersWhitelist='["authorization", "ES-Client-Authentication"]' \ --xpack.security.authc.http.jwt.restrictToPaths='["/internal/security/me"]'Authenticate with JWT
Elasticsearch endpoint
{ "username": "aleh.zasypkin@elastic.co", "roles": [], "full_name": null, "email": null, "metadata": { "jwt_claim_aud": [ "elasticsearch" ], "jwt_claim_name": "Aleh Zasypkin", "jwt_claim_iss": "https://kibana.elastic.co/jwt/", "jwt_token_type": "access_token", "jwt_claim_sub": "aleh.zasypkin@elastic.co" }, "enabled": true, "authentication_realm": { "name": "jwt1", "type": "jwt" }, "lookup_realm": { "name": "jwt1", "type": "jwt" }, "authentication_type": "realm" }Kibana endpoint
{ "username": "aleh.zasypkin@elastic.co", "roles": [], "full_name": null, "email": null, "metadata": { "jwt_token_type": "access_token", "jwt_claim_iss": "https://kibana.elastic.co/jwt/", "jwt_claim_name": "Aleh Zasypkin", "jwt_claim_aud": [ "elasticsearch" ], "jwt_claim_sub": "aleh.zasypkin@elastic.co" }, "enabled": true, "authentication_realm": { "name": "jwt1", "type": "jwt" }, "lookup_realm": { "name": "jwt1", "type": "jwt" }, "authentication_type": "realm", "authentication_provider": { "type": "http", "name": "__http__" }, "elastic_cloud_user": false }Try not allowed endpoint:
[2023-06-07T12:00:46.233+02:00][ERROR][plugins.security.http] Attempted to authenticate with JWT credentials against /api/status, but it's not allowed.{ "statusCode": 401, "error": "Unauthorized", "message": "Unauthorized" }Related: #153720